/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 *
 * The Original Code is mozilla.org code.
 *
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are
 * Copyright (C) 1998 Netscape Communications Corporation. All
 * Rights Reserved.
 *
 * Contributor(s):
 *   Javier Delgadillo <javi@netscape.com>
 *
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable
 * instead of those above.  If you wish to allow use of your
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

#include "nsISupports.idl"

interface nsIArray;
interface nsIX509CertValidity;
interface nsIASN1Object;

/**
 * This represents a X.509 certificate.
 *
 * @status FROZEN
 */
[scriptable, uuid(f0980f60-ee3d-11d4-998b-00b0d02354a0)]
interface nsIX509Cert : nsISupports {

  /**
   *  A nickname for the certificate.
   */
  readonly attribute AString nickname;

  /**
   *  The primary email address of the certificate, if present.
   */
  readonly attribute AString emailAddress;

  /**
   *  Obtain a list of all email addresses
   *  contained in the certificate.
   *
   *  @param length The number of strings in the returned array.
   *  @return An array of email addresses.
   */
  void getEmailAddresses(out unsigned long length, 
                         [retval, array, size_is(length)] out wstring addresses);

  /**
   *  Check whether a given address is contained in the certificate.
   *  The comparison will convert the email address to lowercase.
   *  The behaviour for non ASCII characters is undefined.
   *
   *  @param aEmailAddress The address to search for.
   *                
   *  @return True if the address is contained in the certificate.
   */
  boolean containsEmailAddress(in AString aEmailAddress);

  /**
   *  The subject owning the certificate.
   */
  readonly attribute AString subjectName;

  /**
   *  The subject's common name.
   */
  readonly attribute AString commonName;

  /**
   *  The subject's organization.
   */
  readonly attribute AString organization;

  /**
   *  The subject's organizational unit.
   */
  readonly attribute AString organizationalUnit;

  /**
   *  The fingerprint of the certificate's public key,
   *  calculated using the SHA1 algorithm.
   */
  readonly attribute AString sha1Fingerprint;

  /**
   *  The fingerprint of the certificate's public key,
   *  calculated using the MD5 algorithm.
   */
  readonly attribute AString md5Fingerprint;

  /**
   *  A human readable name identifying the hardware or
   *  software token the certificate is stored on.
   */
  readonly attribute AString tokenName;

  /**
   *  The subject identifying the issuer certificate.
   */
  readonly attribute AString issuerName;

  /**
   *  The serial number the issuer assigned to this certificate.
   */
  readonly attribute AString serialNumber;

  /**
   *  The issuer subject's common name.
   */
  readonly attribute AString issuerCommonName;

  /**
   *  The issuer subject's organization.
   */
  readonly attribute AString issuerOrganization;

  /**
   *  The issuer subject's organizational unit.
   */
  readonly attribute AString issuerOrganizationUnit;

  /**
   *  The certificate used by the issuer to sign this certificate.
   */
  readonly attribute nsIX509Cert issuer;

  /**
   *  This certificate's validity period.
   */
  readonly attribute nsIX509CertValidity validity;

  /**
   *  A unique identifier of this certificate within the local storage.
   */
  readonly attribute string dbKey;

  /**
   *  A human readable identifier to label this certificate.
   */
  readonly attribute string windowTitle;

  /**
   *  Constants to classify the type of a certificate.
   */
  const unsigned long UNKNOWN_CERT =      0;
  const unsigned long CA_CERT      = 1 << 0;
  const unsigned long USER_CERT    = 1 << 1;
  const unsigned long EMAIL_CERT   = 1 << 2;
  const unsigned long SERVER_CERT  = 1 << 3;

  /**
   *  Constants for certificate verification results.
   */
  const unsigned long VERIFIED_OK          =      0;
  const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
  const unsigned long CERT_REVOKED         = 1 << 1;
  const unsigned long CERT_EXPIRED         = 1 << 2;
  const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
  const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
  const unsigned long ISSUER_UNKNOWN       = 1 << 5;
  const unsigned long INVALID_CA           = 1 << 6;
  const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
  
  /**
   *  Constants that describe the certified usages of a certificate.
   */
  const unsigned long CERT_USAGE_SSLClient = 0;
  const unsigned long CERT_USAGE_SSLServer = 1;
  const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
  const unsigned long CERT_USAGE_SSLCA = 3;
  const unsigned long CERT_USAGE_EmailSigner = 4;
  const unsigned long CERT_USAGE_EmailRecipient = 5;
  const unsigned long CERT_USAGE_ObjectSigner = 6;
  const unsigned long CERT_USAGE_UserCertImport = 7;
  const unsigned long CERT_USAGE_VerifyCA = 8;
  const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
  const unsigned long CERT_USAGE_StatusResponder = 10;
  const unsigned long CERT_USAGE_AnyCA = 11;

  /**
   *  Obtain a list of certificates that contains this certificate 
   *  and the issuing certificates of all involved issuers,
   *  up to the root issuer.
   *
   *  @return The chain of certifficates including the issuers.
   */
  nsIArray getChain();

  /**
   *  Obtain an array of human readable strings describing
   *  the certificate's certified usages.
   *
   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
   *  @param verified The certificate verification result, see constants.
   *  @param count The number of human readable usages returned.
   *  @param usages The array of human readable usages.
   */
  void getUsagesArray(in boolean ignoreOcsp,
                      out PRUint32 verified,
                      out PRUint32 count, 
                      [array, size_is(count)] out wstring usages);

  /**
   *  Obtain a single comma separated human readable string describing
   *  the certificate's certified usages.
   *
   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
   *  @param verified The certificate verification result, see constants.
   *  @param purposes The string listing the usages.
   */
  void getUsagesString(in boolean ignoreOcsp, out PRUint32 verified, out AString usages);

  /**
   *  Verify the certificate for a particular usage.
   *
   *  @return The certificate verification result, see constants.
   */
   unsigned long verifyForUsage(in unsigned long usage);

  /**
   *  This is the attribute which describes the ASN1 layout
   *  of the certificate.  This can be used when doing a
   *  "pretty print" of the certificate's ASN1 structure.
   */
  readonly attribute nsIASN1Object ASN1Structure;

  /**
   *  Obtain a raw binary encoding of this certificate
   *  in DER format.
   *
   *  @param length The number of bytes in the binary encoding.
   *  @param data The bytes representing the DER encoded certificate.
   */
  void getRawDER(out unsigned long length,
	               [retval, array, size_is(length)] out octet data);

  /**
   *  Test whether two certificate instances represent the 
   *  same certificate.
   *
   *  @return Whether the certificates are equal
   */
  boolean equals(in nsIX509Cert other);
};
